Chris Sanders 🔎 🧠
@chrissanders88.bsky.social
Digital Forensic Analyst, Researcher, Author
Ed.D.
Founder Applied Network Defense and Rural Tech Fund
Former Mandiant, InGuardians, DoD
Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
Ed.D.
Founder Applied Network Defense and Rural Tech Fund
Former Mandiant, InGuardians, DoD
Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
"This has an em dash—it must be AI!" 😩
GenAI uses em dashes, in part, because it was trained on material written by authors like me. Without our consent, might I add.
The machines can pry my em dashes from my cold, dead hands.
GenAI uses em dashes, in part, because it was trained on material written by authors like me. Without our consent, might I add.
The machines can pry my em dashes from my cold, dead hands.
November 12, 2025 at 2:44 PM
"This has an em dash—it must be AI!" 😩
GenAI uses em dashes, in part, because it was trained on material written by authors like me. Without our consent, might I add.
The machines can pry my em dashes from my cold, dead hands.
GenAI uses em dashes, in part, because it was trained on material written by authors like me. Without our consent, might I add.
The machines can pry my em dashes from my cold, dead hands.
Investigation Scenario 🔎
A public-facing web server is no longer accessible from the browser. Your director believes a denial of service attack may be the cause.
What do you look for to investigate the cause of the availability issue?
#InvestigationPath #DFIR #SOC
A public-facing web server is no longer accessible from the browser. Your director believes a denial of service attack may be the cause.
What do you look for to investigate the cause of the availability issue?
#InvestigationPath #DFIR #SOC
November 11, 2025 at 3:15 PM
Investigation Scenario 🔎
A public-facing web server is no longer accessible from the browser. Your director believes a denial of service attack may be the cause.
What do you look for to investigate the cause of the availability issue?
#InvestigationPath #DFIR #SOC
A public-facing web server is no longer accessible from the browser. Your director believes a denial of service attack may be the cause.
What do you look for to investigate the cause of the availability issue?
#InvestigationPath #DFIR #SOC
"Me, a wizard? Until a week ago, I was an astronomer, contentedly designing telescope optics."
November 7, 2025 at 2:22 PM
"Me, a wizard? Until a week ago, I was an astronomer, contentedly designing telescope optics."
I'm putting the finishing touches on our annual Golden Ticket fundraiser for the Rural Technology Fund, and we really need a few more corporate sponsors. If you can help, send me a DM. Lots of great benefits! Expect 300% more whimsy this year.
November 4, 2025 at 4:29 PM
I'm putting the finishing touches on our annual Golden Ticket fundraiser for the Rural Technology Fund, and we really need a few more corporate sponsors. If you can help, send me a DM. Lots of great benefits! Expect 300% more whimsy this year.
Investigation Scenario 🔎
A helpdesk tech reports that after installing an update for a third-party remote management tool, outbound connections to 45.77.XX.XX:8080 from its service started appearing across multiple endpoints.
A helpdesk tech reports that after installing an update for a third-party remote management tool, outbound connections to 45.77.XX.XX:8080 from its service started appearing across multiple endpoints.
November 4, 2025 at 3:00 PM
Investigation Scenario 🔎
A helpdesk tech reports that after installing an update for a third-party remote management tool, outbound connections to 45.77.XX.XX:8080 from its service started appearing across multiple endpoints.
A helpdesk tech reports that after installing an update for a third-party remote management tool, outbound connections to 45.77.XX.XX:8080 from its service started appearing across multiple endpoints.
What are some instances where the acquisition of an effective security company by a large / publicly traded company actually made the acquired product or service better?
November 4, 2025 at 2:03 PM
What are some instances where the acquisition of an effective security company by a large / publicly traded company actually made the acquired product or service better?
I've hidden 5 of my business cards around the @BSidesAugusta venue. Each one has a code written on it that's good for 50% off any one of my courses at networkdefense.io/. They're in plain sight so don't go looking above ceiling tiles or anything silly. Good luck :)
Applied Network Defense
Affordable, effective, online information security training. Made by analysts, for analysts.
www.networkdefense.io
October 25, 2025 at 1:50 PM
I've hidden 5 of my business cards around the @BSidesAugusta venue. Each one has a code written on it that's good for 50% off any one of my courses at networkdefense.io/. They're in plain sight so don't go looking above ceiling tiles or anything silly. Good luck :)
Good morning, Augusta. #SecurityOnionCon @BSidesAugusta
October 24, 2025 at 11:28 AM
Good morning, Augusta. #SecurityOnionCon @BSidesAugusta
Investigation Scenario 🔎
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
October 22, 2025 at 2:06 PM
Investigation Scenario 🔎
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
When an admin creates a new user account on a domain, what do you suspect is the average time between account creation and its first authentication? I don't know the answer, generally curious on others input.
October 20, 2025 at 6:05 PM
When an admin creates a new user account on a domain, what do you suspect is the average time between account creation and its first authentication? I don't know the answer, generally curious on others input.
A peek behind the scenes on some of the @RuralTechFund space and tech outreach we do -- this time from my local library!
youtube.com/shorts/yaZW...
youtube.com/shorts/yaZW...
Come with Me to Teach Kids about Meteorites! ☄️
Come with Me to Teach Kids about Meteorites! ☄️#astronomy #science #space #stem #geology #shortsSpace is within your reach! Want to own a meteorite of your o...
www.youtube.com
October 17, 2025 at 7:29 PM
A peek behind the scenes on some of the @RuralTechFund space and tech outreach we do -- this time from my local library!
youtube.com/shorts/yaZW...
youtube.com/shorts/yaZW...
A week from now, I'll be speaking at @securityonion con alongside my good friend @DefensiveDepth. We'll talk about human-centric investigation playbooks and how those manifest in Security Onion now. Hope to see you there in Augusta!
securityonionsolutions.com/conference/
securityonionsolutions.com/conference/
October 17, 2025 at 2:14 PM
A week from now, I'll be speaking at @securityonion con alongside my good friend @DefensiveDepth. We'll talk about human-centric investigation playbooks and how those manifest in Security Onion now. Hope to see you there in Augusta!
securityonionsolutions.com/conference/
securityonionsolutions.com/conference/
Investigation Scenario 🔎
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
October 14, 2025 at 2:00 PM
Investigation Scenario 🔎
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
My photo submission for the 2026 Meteorite Calendar... three lunar stones from my collection, titled "Colors of the Moon". While we primarily think of the moon as a uniform shade, there's a lot more there than what initially meets the eye!
#space #astronomy #science #geology #STEM
#space #astronomy #science #geology #STEM
October 10, 2025 at 1:22 PM
My photo submission for the 2026 Meteorite Calendar... three lunar stones from my collection, titled "Colors of the Moon". While we primarily think of the moon as a uniform shade, there's a lot more there than what initially meets the eye!
#space #astronomy #science #geology #STEM
#space #astronomy #science #geology #STEM
We've got students in our @RuralTechFund Infinite Sky cohort building high-altitude balloon experiments that will...
...create atmospheric and solar irradiance profiles
...collect temperature and pressure readings
...detect levels of UV and IR radiation in the upper atmosphere
...create atmospheric and solar irradiance profiles
...collect temperature and pressure readings
...detect levels of UV and IR radiation in the upper atmosphere
October 8, 2025 at 2:07 PM
We've got students in our @RuralTechFund Infinite Sky cohort building high-altitude balloon experiments that will...
...create atmospheric and solar irradiance profiles
...collect temperature and pressure readings
...detect levels of UV and IR radiation in the upper atmosphere
...create atmospheric and solar irradiance profiles
...collect temperature and pressure readings
...detect levels of UV and IR radiation in the upper atmosphere
Good analysts take broad investigative questions and unpack them into specific questions that are directly answerable from evidence.
Let's say that you observed the download of a suspicious file, but it's no longer located on the file system.
Let's say that you observed the download of a suspicious file, but it's no longer located on the file system.
October 8, 2025 at 1:37 PM
Good analysts take broad investigative questions and unpack them into specific questions that are directly answerable from evidence.
Let's say that you observed the download of a suspicious file, but it's no longer located on the file system.
Let's say that you observed the download of a suspicious file, but it's no longer located on the file system.
Investigation Scenario 🔎
A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing.
You're unable to collect a memory dump and no EDR is available.
A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing.
You're unable to collect a memory dump and no EDR is available.
October 7, 2025 at 2:04 PM
Investigation Scenario 🔎
A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing.
You're unable to collect a memory dump and no EDR is available.
A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing.
You're unable to collect a memory dump and no EDR is available.
At @RuralTechFund, we require that schools/clubs/programs we financially support aren't academically exclusionary. That means they can't limit access to tech education to only students with high grades.
October 3, 2025 at 2:18 PM
At @RuralTechFund, we require that schools/clubs/programs we financially support aren't academically exclusionary. That means they can't limit access to tech education to only students with high grades.
If you're a student who shows up at my office hours today, I expect you to come with your favorite song from the new Taylor album.
October 3, 2025 at 1:05 PM
If you're a student who shows up at my office hours today, I expect you to come with your favorite song from the new Taylor album.
They're all bangers 🔥💯
October 3, 2025 at 4:21 AM
They're all bangers 🔥💯
Investigation Scenario 🔎
AV on a point of sale system flags a new startup entry named “PSLService.exe” in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
AV on a point of sale system flags a new startup entry named “PSLService.exe” in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
October 1, 2025 at 2:00 PM
Investigation Scenario 🔎
AV on a point of sale system flags a new startup entry named “PSLService.exe” in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
AV on a point of sale system flags a new startup entry named “PSLService.exe” in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
Periodic reminder that if you take my Investigation Theory course, you're working directly with me and I'm responding to your labs and exercises individually. That's something I prioritize above other things, and I make time for it every day.
September 26, 2025 at 1:35 PM
Periodic reminder that if you take my Investigation Theory course, you're working directly with me and I'm responding to your labs and exercises individually. That's something I prioritize above other things, and I make time for it every day.
Investigation Scenario 🔎
You've come across a log for the following execution:
msiexec.exe /i "\\10.0.0.5\share\patch.msi" /qn
The file is not available on the remote host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
You've come across a log for the following execution:
msiexec.exe /i "\\10.0.0.5\share\patch.msi" /qn
The file is not available on the remote host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
September 23, 2025 at 2:00 PM
Investigation Scenario 🔎
You've come across a log for the following execution:
msiexec.exe /i "\\10.0.0.5\share\patch.msi" /qn
The file is not available on the remote host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
You've come across a log for the following execution:
msiexec.exe /i "\\10.0.0.5\share\patch.msi" /qn
The file is not available on the remote host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario 🔎
A user reported that their workstation appears to reboot every night.
Unfortunately, due to admin error, Windows Event logging is disabled on the host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
A user reported that their workstation appears to reboot every night.
Unfortunately, due to admin error, Windows Event logging is disabled on the host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
September 16, 2025 at 2:00 PM
Investigation Scenario 🔎
A user reported that their workstation appears to reboot every night.
Unfortunately, due to admin error, Windows Event logging is disabled on the host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
A user reported that their workstation appears to reboot every night.
Unfortunately, due to admin error, Windows Event logging is disabled on the host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC